CN103457958A - Cloud computing network server inner core safe access method - Google Patents
Cloud computing network server inner core safe access method Download PDFInfo
- Publication number
- CN103457958A CN103457958A CN2013104268607A CN201310426860A CN103457958A CN 103457958 A CN103457958 A CN 103457958A CN 2013104268607 A CN2013104268607 A CN 2013104268607A CN 201310426860 A CN201310426860 A CN 201310426860A CN 103457958 A CN103457958 A CN 103457958A
- Authority
- CN
- China
- Prior art keywords
- access
- cloud computing
- server
- access control
- safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of cloud computing network server inner core safe access, in particular to a cloud computing network server inner core safe access method. According to the cloud computing network server inner core safe access method, actual requirements of cloud computing safety are combined, and a next-generation network access control model (UCON) is utilized. The UCON not only has the capacity of a traditional access control model, but also integrates the ability of credible management and digital right management. The UCON access control model is used to control system resources in the storage and document layer. The access control model capable of being tailored in a custom-made mode is adopted on a server virtualization platform to protect the safety of cloud computing virtualization. In a network layer, and DDOS is attacked against, DNS safety communication monitoring is conducted. Illegal access is discovered and forbidden in time so as to ensure server communication safety.
Description
Technical field
The present invention relates to system for cloud computing kernel server secure access technical field, particularly a kind of system for cloud computing kernel server safety access method.
Background technology
Server majority under system for cloud computing is deployed in cloud computing center, does distributed computation and centralized management.Cloud computing, except bringing the huge computing capability of calculating and applying, has brought the threat on safety also to the cloud computing center data.The service mode of cloud computing has SaaS (software serve), PaaS (platform serves) and IaaS (architecture serves), the security threats such as traditional data corruption or loss, account number or service crack except facing, Denial of Service attack (Deninal of Service), Malware invasion, software vulnerability, the risk that cloud computing faces safely also has: the isolation that superuser access, Data Position, data encryption bring or inefficacy, Disaster Data are recovered and the privacy exposure hazard.The critical data of the virtual resource isolation problem of bringing of cloud computing, enterprise faces safely serious threat, and the security needs of system for cloud computing are done three-dimensional all-around defense to data central server and virtual resources at many levels (outbreak, defence, response, recovery in time).
The cloud computing safety requirements, to identity and Access Management Access, provides trust and level of security etc. to the user.The low-risk data can be by relieved input cloud, and high impact or critical data require access control protection and the personal secrets of system.The senior lasting threat of APT(in recent years) attack network has been caused to serious threat.Linked groups is actively formulating cloud computing safety standard and measurement system now, the present invention sets up the layer stereo defense system in cloud computing center server system layer, network layer and application layer, and the cloud computing server security system has been done and can have been controlled research and realize.Resource access control aspect adopts access control technology of future generation (UCON) to do the protection access to cloud computing resources.In itself virus and Malware are done to control, monitoring and forbidding system core resource.Forbid the access services devices such as illegal process and port at network level, forbid the illegal application of covert channel.Prevent ddos attack etc.Cloud computing provider provides the mechanism to the data supervision, comprises monitoring, mandate and access control etc.System provides Audit Mechanism to supervision and access control.Reliable computing technology comprises following requirement: guarantee system resource and data integrity; Data security storage and trustable network connection etc.Cloud computing resources have quantity huge many, distribute discrete, scheduling is frequent, to features such as safety requirements height.
The control model of tradition based on attribute access can not meet the complicated requirement of cloud security, UCON(usage control) access control technology, except having traditional access control model, has also increased the factors such as obligation (Obligations), condition (Conditions).Degree of belief and reference count etc. to access are controlled, degree of belief difference, access rights difference.When certain value is arrived in reference count, more resource access can be prohibited.Virtual safe strick precaution adopts and the approximate method of UCON access control, for characteristics such as virtual storages, has made custom tailoring.The safety of virtual network is done access control in transport layer and session layer.
Current server resource access technique, adopt the resources such as process to main frame, file, registration table to do access control at inner nuclear layer.Under the complex environment of cloud computing, the kernel server reinforcement technique is obviously not enough to credit grade, Distributed Calculation storage and the access control ability based on Internet.
Summary of the invention
In order to solve the problem of prior art, the present invention is based on access control model of future generation, added again new access control element at aspects such as host-guest attributes, increase the reference count of credit management and keystone resources etc., when access number reaches certain rank, taked the strategies such as disable access, aspect access to netwoks, the monitoring of reinforcement to server communication, monitoring abnormal flow and DNS flow etc., to forbidding etc. of illegal communication.
The technical solution adopted in the present invention is as follows:
A kind of system for cloud computing kernel server safety access method, be included in storage and file layers and with the access control model that adopts access control technology of future generation, system resource controlled; Adopt the access control model of customizable reduction at the server virtualization platform, the virtual safety of cloud computing is protected.
Control method when method specifically comprises control method when the user accesses cloud computing server and virtualized server and cloud computing server and virtual machine network access control.
The control method when user accesses cloud computing server and virtualized server comprises:
The authentications such as A1, identity and territory;
B1, according to user identity, degree of belief and quoting resource counting etc., obtain the resource access authority;
Before C1, access, after access neutralization access, meet the attribute that corresponding condition can change subject and object, carry out corresponding rights and duties;
D1, at inner nuclear layer, keystone resources access is compared, do accordingly read-only, can write or the operation such as forbidding;
E1, virtualization system adopt safely the access control policy of custom tailoring, according to the features such as storage of virtual machine, guarantee safety.
Control method when cloud computing server and virtual machine network access control comprises:
The access control of A2, the division of network security territory and Border Protection, Internet resources;
B2, long-range access security;
C2, ddos attack danger and defence, forbid illegal access device;
D2, Network Security Audit System;
Network control on E2, virtual machine is controlled in transport layer, forbids illegal communication.
System for cloud computing kernel server secure access technology of the present invention, be mainly used in the server security of cloud computing data center.Include security kernel access technique (based on file and network-driven), UCON (usage control) access control technology, server end module and infrastructure module etc.
The security kernel access technique, refer to utilize access control technology of future generation (UCON), all kinds of resources of system made under the cloud computing complex environment to the technology of controlling.
Access control technology (UCON) of future generation: in today of information resources variation, precision demand, with various decision-makings such as mandates, obligation, conditions, resource access is done to dynamically control, realized credit rating and the control of quoting resource technology access.
The service end module is for communicating by letter with kernel-driven and communicating by letter with remote access client.
The infrastructure module, communicate by letter with service end for the administrator, calls all kinds of resources.Module with user interactions and calculating is provided.
The resource access control strategy, adopt authentication and Identity Management strategy and UCON to control.Data are revealed and are controlled and secret protection.Utilize file system driver and network-driven technology, do access control at system bottom and filter.Build believable cloud computing service applicator platform, to the access of critical data, provide the functions such as access control and audit log.
The present invention is by UCON(Usage Control) access control policy does control to the cloud computing center server resource, to access services device user except traditional access control policy, in conjunction with the actual requirement of cloud computing safety, done the control of attribute at aspects such as credit rating and reference counts.Aspect secure communication, adopt the Net defence architecture to the IPv4/IPv6 protocol-compliant.The illegal process of network is done to communication forbids.Exception flow of network is done to detection, the abnormal communications such as DNS are done and detected and forbid.
The present invention is after international standard, the information security hierarchical protection national standards such as reference " cloud computing standardization white paper ", " ISO/IEC JTC1 SC38-17788,17789 ", trusted computer system evaluating standard TCSEC; adopt access control UCON model of future generation to control server resource, utilization can be cut out the access control of customization virtual resources is done to management.Resource is taked the methods such as UCON access control and credible calculating in cloud computing system, in itself virus and Malware are done to control, monitoring or forbidding system resource.In different safety management domain, the user has different resources and authority.Access domain need to be done the unified identity authentication management, adopts UCON to make access control policy.To server resource, (storage resources, file process, registration table, user's service etc.), except doing traditional access control, have increased the constrained attributes such as credit rating and reference count.According to access control model of future generation, increased the restriction of obligation and condition.Access to Internet resources adopts rule restriction and the monitoring such as process, address/port, flow.The exceptional communication of monitoring abnormal flow and particular protocol (as DNS).Also can do monitoring etc. to the access to netwoks of resources of virtual machine.
The beneficial effect that technical scheme provided by the invention is brought is:
The present invention, in conjunction with the actual requirement of cloud computing safety, utilizes next generation network access control model (UCON), and UCON not only contains the ability of traditional access control model, and has gathered credible management and Digital Right Management ability.In storage and file layers, with the UCON access control model, system resource is controlled.Adopt the access control model of customizable reduction at the server virtualization platform, the virtual safety of cloud computing is protected., find in time and forbid unauthorized access guaranteeing server communication safety DDOS attack-defending, DNS secure communication monitoring etc. in network layer.
The accompanying drawing explanation
The method block diagram that Fig. 1 is a kind of system for cloud computing kernel server safety access method of the present invention;
The UCON access control model schematic diagram that Fig. 2 is a kind of system for cloud computing kernel server safety access method of the present invention.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing, embodiment of the present invention is described further in detail.
The present embodiment is applied in cloud computing server, is driving inner nuclear layer to do access control to resource.Trusted operations grade scale with reference to SOS, adopt UCON(usage control) access control technology, the UCON basic element comprises: main body, object authority and the element relevant to mandate: condition (authorization rule) and obligation, condition has degree of belief, quoting resource counting etc.System is in access during cloud computing resources, according to user's degree of belief, quote technology and force access control rule to be authorized the object of access, does the operations such as read-only, forbidding.
The Network Communicate Security aspect adopts and drives bottom NDIS(network-driven interface specification) technology, realize the server security gateway function.Network service is made to the high speed filtering packets and illegal communication is forbidden.The monitoring abnormal flow, find the DNS communication abnormality.General protection cloud computing resources safety.
Operation principle of the present invention is as follows:
1, when access Cloud Server resource, the access control process is:
A1. authentication and right assignment;
B1. obtain the resource information on server, with the UCON access control model, access rule is set.Main body, object, authority, degree of belief, reference count of user etc. are set in client infrastructure module;
C1. client infrastructure module sends to the server end setting and preserves rule according to the resource information on server and UCON dependency rule etc.;
D1. the main body attribute comprises the principal name of Customs Assigned Number, rights of using, degree of belief and reference count and use resource;
E1. object comprises the storage entity of cloud data center, the file on file system, file and process, registration table, service etc.;
F1. the accesses virtual resource can, with the corresponding attribute of custom tailoring and access control, be suitable for virtual environment storage and calculation requirement;
G1. at inner nuclear layer, adopt the interception of file system driver technique construction to drive, utilize IRP_MJ_CREATE, IRP_MJ_READ, IRP_MJ_WRITE and IRP_MJ_SETINFORMATION etc. that IRP HOOK technical intercept is relevant;
H1. when the object of operation appointment, more main, object attribute.And according to the operation of corresponding authority, forbidding, read-only etc.;
I1. record as required audit information, comprise main body, object, attribute and action etc.Driving layer to send to application layer, comprise the information such as credit rating and reference count.Application layer writes corresponding distributed data base;
J1. can, by querying server security audit daily records such as browsers, issue the respective resources rule in client;
2,, when server network accesses, the flow process that access to netwoks is controlled is:
A2. adopt the NDIS bottom layer driving to package interception and monitoring;
B2. in virtual environment, adopt transport layer to make the strategy of access control to package with communicating by letter;
C2. Sampling network flow and exceptional communication;
D2. IPv4 and IPv6 agreement are done to filtering packets and communication monitoring;
E2. obtain the communication process relevant information, the monitoring abnormal flow;
F2. adopt state inspection, improve comparison efficiency;
G2. monitor the DNS exceptional communication, and feed back to application layer;
H2. network attack causes the DNS communication abnormality, and measurement index in DNS query communication data packet stream is detected in real time;
I2. exceed threshold values, application layer is made to abnormal alarm;
J2. according to process, network service five-tuple (source/destination address, source/destination port and protocol number) etc., the data packet communication is done to monitoring and filtration etc.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (4)
1. a system for cloud computing kernel server safety access method, be included in storage and file layers and with the access control model that adopts access control technology of future generation, system resource controlled; Adopt the access control model of customizable reduction at the server virtualization platform, the virtual safety of cloud computing is protected.
2. a kind of system for cloud computing kernel server safety access method according to claim 1, it is characterized in that control method when described method specifically comprises control method when the user accesses cloud computing server and virtualized server and cloud computing server and virtual machine network access control.
3. a kind of system for cloud computing kernel server safety access method according to claim 2, is characterized in that, control method when described user accesses cloud computing server and virtualized server comprises:
The authentications such as A1, identity and territory;
B1, according to user identity, degree of belief and quoting resource counting etc., obtain the resource access authority;
Before C1, access, after access neutralization access, meet the attribute that corresponding condition can change subject and object, carry out corresponding rights and duties;
D1, at inner nuclear layer, keystone resources access is compared, do accordingly read-only, can write or the operation such as forbidding;
E1, virtualization system adopt safely the access control policy of custom tailoring, according to the features such as storage of virtual machine, guarantee safety.
4. a kind of system for cloud computing kernel server safety access method according to claim 2, is characterized in that, control method when described cloud computing server and virtual machine network access control comprises:
The access control of A2, the division of network security territory and Border Protection, Internet resources;
B2, long-range access security;
C2, ddos attack danger and defence, forbid illegal access device;
D2, Network Security Audit System;
Network control on E2, virtual machine is controlled in transport layer, forbids illegal communication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013104268607A CN103457958A (en) | 2013-09-18 | 2013-09-18 | Cloud computing network server inner core safe access method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013104268607A CN103457958A (en) | 2013-09-18 | 2013-09-18 | Cloud computing network server inner core safe access method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103457958A true CN103457958A (en) | 2013-12-18 |
Family
ID=49739912
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013104268607A Pending CN103457958A (en) | 2013-09-18 | 2013-09-18 | Cloud computing network server inner core safe access method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103457958A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103795726A (en) * | 2014-02-14 | 2014-05-14 | 浪潮通信信息系统有限公司 | Depth protection method for virtual data safety access |
| CN105912892A (en) * | 2016-04-08 | 2016-08-31 | 浪潮电子信息产业股份有限公司 | Process protection method and framework based on cloud computing |
| CN106211144A (en) * | 2015-04-30 | 2016-12-07 | 华为技术有限公司 | The communication means of a kind of mobile terminal and mobile terminal |
| CN107800723A (en) * | 2017-12-06 | 2018-03-13 | 中盈优创资讯科技有限公司 | CC attack guarding methods and equipment |
| CN110347474A (en) * | 2019-05-30 | 2019-10-18 | 苏州浪潮智能科技有限公司 | A kind of method and device managing virtual machine |
| CN112784268A (en) * | 2021-01-28 | 2021-05-11 | 深信服科技股份有限公司 | Method, device, equipment and storage medium for analyzing host behavior data |
| US20220156393A1 (en) * | 2020-11-19 | 2022-05-19 | Tetrate.io | Repeatable NGAC Policy Class Structure |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101986599A (en) * | 2010-12-09 | 2011-03-16 | 北京交通大学 | Network security control method based on cloud service and cloud security gateway |
| CN102710605A (en) * | 2012-05-08 | 2012-10-03 | 重庆大学 | Information security management and control method under cloud manufacturing environment |
| CN103023993A (en) * | 2012-11-28 | 2013-04-03 | 青岛双瑞海洋环境工程股份有限公司 | Enterprise information system based on cloud computing |
-
2013
- 2013-09-18 CN CN2013104268607A patent/CN103457958A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101986599A (en) * | 2010-12-09 | 2011-03-16 | 北京交通大学 | Network security control method based on cloud service and cloud security gateway |
| CN102710605A (en) * | 2012-05-08 | 2012-10-03 | 重庆大学 | Information security management and control method under cloud manufacturing environment |
| CN103023993A (en) * | 2012-11-28 | 2013-04-03 | 青岛双瑞海洋环境工程股份有限公司 | Enterprise information system based on cloud computing |
Non-Patent Citations (2)
| Title |
|---|
| TEHRAN: "A three-layer access", 《INTERNATIONAL JOURNAL OF COMPUTER SCIENCE AND INFORMATION SECURITY》 * |
| 聂丽平: "基于UCON访问控制模型的分析与研究", 《中国优秀硕士论文全文数据库 信息科技辑》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103795726A (en) * | 2014-02-14 | 2014-05-14 | 浪潮通信信息系统有限公司 | Depth protection method for virtual data safety access |
| CN106211144A (en) * | 2015-04-30 | 2016-12-07 | 华为技术有限公司 | The communication means of a kind of mobile terminal and mobile terminal |
| US10638311B2 (en) | 2015-04-30 | 2020-04-28 | Huawei Technologies Co., Ltd. | Communication method for mobile terminal and mobile terminal |
| CN106211144B (en) * | 2015-04-30 | 2020-06-16 | 华为技术有限公司 | Communication method of mobile terminal and mobile terminal |
| CN105912892A (en) * | 2016-04-08 | 2016-08-31 | 浪潮电子信息产业股份有限公司 | Process protection method and framework based on cloud computing |
| CN105912892B (en) * | 2016-04-08 | 2018-09-04 | 浪潮电子信息产业股份有限公司 | A kind of Process Protection system and method based on cloud computing |
| CN107800723A (en) * | 2017-12-06 | 2018-03-13 | 中盈优创资讯科技有限公司 | CC attack guarding methods and equipment |
| CN110347474A (en) * | 2019-05-30 | 2019-10-18 | 苏州浪潮智能科技有限公司 | A kind of method and device managing virtual machine |
| US20220156393A1 (en) * | 2020-11-19 | 2022-05-19 | Tetrate.io | Repeatable NGAC Policy Class Structure |
| CN112784268A (en) * | 2021-01-28 | 2021-05-11 | 深信服科技股份有限公司 | Method, device, equipment and storage medium for analyzing host behavior data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103457958A (en) | Cloud computing network server inner core safe access method | |
| Chen et al. | Data security and privacy protection issues in cloud computing | |
| Alani | Securing the cloud: Threats, attacks and mitigation techniques | |
| CN105282157B (en) | A kind of secure communication control method | |
| CN103621038A (en) | System and method for supporting at least one of subnet management packet (smp) firewall restrictions and traffic protection in a middleware machine environment | |
| CN103647772A (en) | Method for carrying out trusted access controlling on network data package | |
| CN110233817A (en) | A kind of vessel safety system based on cloud computing | |
| Kar et al. | Mitigating Threats and Security Metrics in Cloud Computing. | |
| Yackoski et al. | Mission-oriented moving target defense based on cryptographically strong network dynamics | |
| Ahmed et al. | Cloud computing: study of security issues and research challenges | |
| Lemoudden et al. | A Survey of Cloud Computing Security Overview of Attack Vectors and Defense Mechanisms. | |
| Li et al. | Information resources sharing security in cloud computing | |
| US20170142160A1 (en) | Systems and Methods for Controlling Access to a Computer Device with Access Counting | |
| CN104023033A (en) | Safety production method for cloud services | |
| Sadavarte et al. | Data security and integrity in cloud computing: Threats and Solutions | |
| Popli | A survey on cloud security issues and challenges | |
| Yue et al. | The research of firewall technology in computer network security | |
| Manaa | Data encryption scheme for large data scale in cloud computing | |
| Sandhya | A Study on Various Security Methods in Cloud Computing. | |
| Varadharajan et al. | Techniques for Enhancing Security in Industrial Control Systems | |
| US11354455B2 (en) | Maintenance of access for security enablement on a host system | |
| Kumar | Intrusion detection and prevention system in enhancing security of cloud environment | |
| CN106598713A (en) | Secure dynamic virtual machine migration method and system | |
| WO2021048699A1 (en) | Maintenance of access for security enablement in storage device | |
| Oktay et al. | A circular chain intrusion detection for cloud computing based on improved AdjointVM approach |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20131218 |